By default, the workflow cluster console is accessible only through the cluster's default domain. To use a custom domain with a trusted SSL certificate instead — for example, in a production environment — you need to create a CNAME record that maps your custom domain to the cluster's default domain, install an SSL certificate in the cluster, and register the custom domain as the OAuth callback URL. After completing these steps, use a CloudSSO account to access the console at https://${your-domain}:2746.
Prerequisites
Before you begin, ensure that you have:
A workflow created. See Create a workflow
A kubectl client connected to the workflow cluster. See Connect kubectl to a cluster
Configure custom domain access
Step 1: Create a CNAME record
Log on to the Alibaba Cloud DNS console and create a CNAME record that maps your custom domain to the workflow cluster's default domain.
The default domain follows this format:
argo.${your-workflow-cluster-id}.${region}.alicontainer.com| Placeholder | Description |
|---|---|
${your-workflow-cluster-id} | The ID of your workflow cluster |
${region} | The region where the workflow cluster is deployed |
Step 2: Install the SSL certificate
Install the SSL certificate in the workflow cluster so your browser trusts the custom domain. This involves two sub-steps: creating a Kubernetes TLS Secret from your certificate files, and configuring argo-server to load that Secret.
2.1 Create a TLS Secret
Run the following command to create a Secret named argo-server-tls in the workflow cluster namespace.
Replace ${your-workflow-cluster-id} with the ID of your workflow cluster. Replace /path/to/cert.pem and /path/to/key.pem with the actual paths to your certificate and private key files.
kubectl create -n ${your-workflow-cluster-id} secret tls argo-server-tls \
--cert=/path/to/cert.pem \
--key=/path/to/key.pem2.2 Configure argo-server to use the TLS Secret
Run the following command to open the argo-server Deployment for editing. Replace
${your-workflow-cluster-id}with the ID of your workflow cluster.kubectl -n ${your-workflow-cluster-id} edit deploy argo-serverAdd the following flag to the argo-server Deployment configuration:
--tls-certificate-secret-name=argo-server-tls
Step 3: Register the custom domain as the OAuth callback URL
Add your custom domain to the callback URL of the OAuth application in Resource Access Management (RAM). This allows the OAuth flow to redirect back to your custom domain after authentication.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Integrations > OAuth Preview.
On the Enterprise Applications tab, click the OAuth application for your workflow cluster. The application name follows this format:
ackone-argo-${your-workflow-cluster-id}@app.${your-uid}.onaliyun.comWhere
${your-workflow-cluster-id}is your workflow cluster ID and${your-uid}is your Alibaba Cloud account ID.In the Basic Information section, click Edit Basic Information. Set Callback URL to the following value, replacing
${your-domain}with your custom domain:https://${your-domain}:2746/oauth2/callback
Step 4: Access the console
In your browser's address bar, enter the following URL, replacing ${your-domain} with your custom domain:
https://${your-domain}:2746Log on with a CloudSSO account.
What's next
To register a domain name on Alibaba Cloud, see Register a domain name on Alibaba Cloud.
To create a workflow, see Create a workflow.
To monitor a workflow cluster in real time using Managed Service for Prometheus, see Enable Managed Service for Prometheus.